Spark is keeping customers' valuable geographic location data off their cellphones for seven years - five years longer than the US average.
Vodafone NZ says it keeps data up to 14 months, while 2degrees did not say how long it keeps its data.
Every mobile phone creates a map of where you go that is captured as data.
It opens such a clear window into people's lives it is a valuable commodity to advertisers, but also to data brokers - buyers have included the US military, though in that case it was harvested off smartphone apps.
The Office of the Privacy Commissioner (OPC) said it had "not looked into the issue of mobile geolocation data practices specifically".
"We are monitoring developments overseas and this is an area that would be relevant in the next review of the TIPC [Telecommunication Information Privacy Code], subject to other priorities."
Spark said its seven years' cache is of the data that only shows the suburb or area a customer was in, not the triangulation data that more closely pinpoints movements.
"Occasionally the deletion cycle could be slightly earlier," Spark told RNZ.
"We have always retained data for lawful purposes permitted by the Privacy Act, such as planning and enhancing our network performance, fault finding, and billing and transaction record keeping.
"We regularly carry out privacy impact assessments and review our data practices."
The OPC did not say if it knew Spark had been keeping the data for so long - or if this might be pushing things.
"Our view is that the retention period needs to be justified by the purposes for which the information may lawfully be used," the OPC said.
"We note that Spark has provided a number of business-related reasons for retaining the data for this period and have said the data is protected by strict access controls."
2degrees said only that it kept geodata "for a limited period of time".
This was "to identify usage patterns and trends that will help us optimise, expand, or manage our network".
"We don't currently sell geolocation data or have any plans to," it said.
"Historically we did provide some anonymised data to a third party to track outdoor advertising effectiveness. This agreement concluded several years ago," 2degrees said.
Spark said it did not sell data "in which individuals can be identified and we have no plans to start".
"We do provide anonymised, aggregated mobile location data (in which individuals can't be identified) to Qrious, a wholly Spark-owned data and analytics organisation."
Need to be upfront on data collection
The Privacy Commissioner said companies must be upfront on why they collect geolocation data, and not sell it for any other purpose.
Vodafone NZ said it had not sold geolocation data previously "and we are not currently considering doing so".
Vodafone said there were no rules in New Zealand that specifically prescribed how long geolocation data could be retained, however if a person was identifiable the Privacy Act 2020 would apply.
RNZ made inquiries of the carriers, prompted by the controversy in the US.
There, recent reports have explored how buyers need not approach mobile carriers any more, because a plethora of phone apps gather the same data, and have been selling it to the likes of the Department of Homeland Security.
In relation to that, RNZ asked a year ago if government agencies here bought geolocation data from anyone.
A statement came via the Department of Internal Affairs: "The Government Chief Privacy Officer and Government Chief Digital Officer is not aware of any NZ government agency collecting cell phone information using commercially-available location records that binds cell phone data collected by a commercial third party and/or the network provider to an identified individual, on the scale reported in the American media provided."
Geolocation data can generate amazing maps, as The New York Times showed in its investigation.
The three local companies said they had not been subject to any official intervention over their handling of the data.
They each said they only share it in, say, an emergency with first responders, or if they are compelled to. The code forbids sharing unless an exception applies.
"Sharing information with government agencies is not something we do lightly. We take a strict approach," said Spark, which provided more fulsome responses than the other two firms to RNZ's questions.
It reports publicly on this type of request.
Some data - "a total device count in a broad geographic zone" - goes to Qrious to generate "insights" then sent to Stats NZ's commercial arm, Data Ventures, Spark said.
Customers could opt out of having their anonymised geolocation data used that way, Spark said.
Mobile carriers harvest geolocation data from phones 'pinging' cell towers over and over.
The apps harvest it using GPS, the global positioning system.
"There has been a proliferation of apps for contact tracing and quarantine enforcement that rely on GPS data to track people's movements," Human Rights Watch said. This was sometimes anonymised to usefully track population movements.